Tomasz Kasperczyk Tomasz Kasperczyk - 3 months ago 15
Apache Configuration Question

PHP - local file repo security

I'm creating a file repository with a web-interface. Users will be able to log in (simple PHP authorisation system) and browse their files stored on the server. Each directory has a name, which determines to which user it belongs.
I'm struggling with securing the whole thing - I can't simply throw all the files into the document root, because everyone will be able to access them. All answers related to this problem suggest, that all private and sensitive data should be placed outside of the document root.
That's what I did, but now I can't find a way to show these files to the user when he logs in.
How should I approach this problem? Storing them in a database as BLOBs is a bad idea, because each file has over 1.5G.
The fact that these are video files which will be played by using a javascript plugin is also important - they need to be directly accessed by the user's browser.

Answer

If you want the user to go through your PHP for authentication and access the file outside of the document root that's fine. Just do normal authentication and then you can use X-Sendfile header to have your web server serve up the file from any location on your file system. See the documentation for your web server on how to enable sendfile: e.g. Apache httpd, Nginx

So here's the basic idea...

if (isset($_SESSION['user_authenticated'])) { // or however you verify the user
    header('X-Sendfile: ', $pathToFileForDownload); // your web server will do the rest
}
Comments